Passport Breach Via Cannabis Membership App
A million passport scans leaked online, hosted by systems used by cannabis clubs and a company called Nefos, which runs PuffPal, an age verification and membership management platform. The breach surfaced on story 48706389. Commenters immediately flagged the absurdity: age verification for cannabis clubs requires collecting some of the most sensitive identity documents in existence, and these documents were sitting on systems with apparently minimal security.
The pattern here: age verification as a compliance requirement is getting mandated across more industries, from cannabis to alcohol to adult content. The companies building infrastructure for that compliance are a new attack surface. They're small, often underfunded, and holding passports, driver's licenses, and government IDs for millions of people.
No one asked whether PuffPal was a trustworthy custodian of government identity documents. Regulators required age verification; clubs used the cheapest tool available; the data piled up; and now a million passports are loose.
So what?
If your product touches age verification or identity for any reason, KYC compliance is now an existential security liability, not just a legal checkbox. The cost of storing sensitive documents is not just infrastructure, it's the reputational and legal exposure when something goes wrong. Founders in this space should be asking whether they can verify without storing, and if they must store, whether their security posture matches the sensitivity of what they're holding.